b"                      ort\n\n\n\n\n       YEAR 2000 CERTIFICATION OF MISSION-CRITICAL\n         DOD INFORMATION TECHNOLOGY SYSTEMS\n\n\n\nReport No. 98-147                          June 5, 1998\n\n\n\n\n              Office of the Inspector General\n                  Department of Defense\n\x0c Additional Copies\n\n To obtain additional copies of this audit report, contact the Secondary Reports\n Distribution Unit of the Analysis, Planning, and Technical Support Directorate at\n (703) 604-8937 (DSN 664-8937) or FAX (703) 604-8932 or visit the Inspector\n General, DOD, Home Page at: WWW.DODIG.OSD.MIL.\n\n Suggestions for Future Audits\n\n To suggest ideas for or to request future audits, contact the Planning and\n Coordination Branch of the Analysis, Planning, and Technical Support\n Directorate at (703) 604-8908 (DSN 664-8908) or FAX (703) 604-8932. Ideas\n and requests can also be mailed to:\n\n                   OAIG-AUD (ATTN: APTS Audit Suggestions)\n                   Inspector General, Department of Defense\n                   400 Army Navy Drive (Room 801)\n                   Arlington, Virginia 22202-2884\n\n Defense Hotline\n\n To report fraud, waste, or abuse, contract the Defense Hotline by calling\n (800) 424 9098; by sending an electronic message to\n Hotline@DODIG.OSD.MIL; or by writing to the Defense Hotline, The\n Pentagon, Washington, D.C. 20301-1900. The identity of each writer and caller\n is fully protected.\n\n\n\n\nAcronyms\n\nY2K                  Year 2000\n\x0c                            INSPECTOR GENERAL\n                            DEPARTMENT    OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                            ARLINGTON. VIRGINIA 22202\n\n\n\n\n                                                                           June 5, 1998\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE (COMMAND,\n               CONTROL, COMMUNICATIONS, AND INTELLIGENCE)\n\nSUBJECT: Audit Report on Year 2000 Certification of Mission-Critical DOD\n         Information Technology Systems (Report No. 98-147)\n\n\n      We are providing this audit report for review and comment. We considered\nmanagement comments on a draft of this report in preparing the final report.\n\n      DOD Directive 7650.3 requires that all recommendations be resolved promptly.\nWe request you to provide planned actions and completion dates for the\nrecommendations by July 6, 1998.\n\n       We appreciate the courtesies extended to the audit staff. Questions on the audit\nshould be directed to Ms. Mary Lu Ugone at (703) 604-9049 (DSN 664-9049) or\nMr. James W. Hutchinson at (703) 6049060 (DSN 6649060). See Appendix D for\nthe report distribution. The audit team members are listed inside the back cover.\n\n\n\n\n                                        David K. Steensma\n                                 Deputy Assistant Inspector General\n                                           for Auditing\n\x0c\x0c                           Office of the Inspector General, DOD\nReport No. 98-147                                                           June 5, 1998\n  (Project No. 8AS-0011)\n\n                  Year 2000 Certification of Mission-Critical\n                    DOD Information Technology Systems\n\n                                  Executive Summary\n\nIntroduction. This is one in a series of reports being issued by the Inspector General,\nDOD, in accordance with an informal partnership with the Chief Information Officer, DOD,\nto monitor DOD efforts to address the year 2000 computing challenge.\n\nThe year 2000 problem is the term most often used to describe the potential failure of\ninformation technology systems to process or perform date-related fi.mctions before, on,\nor after the turn of the next century.\n\nAudit Objectives. Our objective was to determine whether the year 2000 certification\nprocess is adequate to ensure that mission-critical DOD information technology systems\nwill continue to operate properly after the year 2000. Specifically, the audit examined\nDOD management policy and guidance relevant to certifying information technology\nsystems as year 2000 compliant. The audit also evaluated the year 2000 certification\nprocess of selected mission-critical DOD information technology systems as\nimplemented by the DOD Components.\n\nAudit Results. DOD Components are not complying with year 2000 certification\ncriteria before reporting systems as compliant. Of the 430 systems that DOD reported\nas year 2000 compliant in November 1997, we estimate that DOD Components certified\nonly 109 systems (25.3 percent) as year 2000 compliant. As a result, DOD\nmanagement reported as year 2ooO compliant systems that have not been certified.\nMore important, mission-critical DOD information technology systems may\nunexpectedly fail because they were classified as year 2000 compliant without adequate\nbasis. The results are based on a randomly selected sample of 87 systems that DOD had\nreported as year 2000 compliant. Our statistical sampling methodology is described in\nAppendix A. A signed year 2000 compliance checklist was requested for each of the\nsystems selected. See Part I for details of the audit results.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) clarify certification\nrequirements to include verification and validation, issue clear year 2000 quarterly\n\x0creporting requirements, and develop guidance for signature by the Deputy Secretary of\nDefense that directs DOD Components to establish oversight processes and procedures to\nenforce the requirements established in the other recommendations.\n\nManagement Comments. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) concurred with the draft recommendations, stating\nthat management currently is updating the Management Plan and must update the\nreporting requirements quarterly. Additionally, management will propose actions by the\nDeputy Secretary of Defense to clarify the importance of year 2000 compliance and the\nenforcement of reporting and evaluation requirements. See Part I for a summary of\nmanagement comments and Part III for the complete text of the comments.\n\nAudit Response. Management concurred with the recommendations but did not provide\nthe specific actions to be implemented. Management stated that the Management Plan\nwould be updated but did not discuss how the updated Management Plan would clarify\nyear 2000 certification requirements. Management stated that the reporting requirements\nmust be updated quarterly to comply with the latest Office of Management and Budget\nguidance but did not state that the guidance would be modified to prevent titure\noccurrence of the errors that we identified in the report. Because of the time sensitivity of\nthe year 2000 issue, the guidance on certification requirements needs to be effective\nimmediately. Because the release date for the Management Plan update is unknown, an\nalternative solution may be to issue separate guidance on the certification process to be\neffective immediately. We request that the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) provide specific actions and associated\ncompletion dates for the guidance on certification requirements, quarterly reporting\nrequirements, and the oversight process by July 6, 1998.\n\n\n\n\n                                              ii\n\x0cTable of Contents\nExecutive Summary                                                               i\n\nPart I - Audit Results\n      Audit Background                                                         2\n      Audit Objectives                                                         5\n      Year 2000 Certification of Mission-Critical DOD Information\n                 Technology Systems                                            6\n\nPart II - Additional Information\n      Appendix A. Audit Process\n        Scope and Methodology                                                  16\n        Statistical Sampling Methodology and Sampling Results                  17\n      Appendix B. Summary of Prior Coverage                                    19\n      Appendix C. Certification and Testing Results for Mission-Critical DOD\n                     Information Systems Audited                               21\n      Appendix D. Report Distribution                                          24\n\nPart III - Management Comments\n      Office of the Assistant Secretary of Defense (Command, Control,\n         Communications, and Intelligence) Comments                            28\n\x0c\x0cPart I - Audit Results\n\x0cAudit Background\n\n    Year 2000 Date Processing Problem. The year 2000 (Y2K) problem is the\n    term most often used to describe the potential failure of information technology\n    systems to process or perform date-related functions before, on, or after the turn\n    of the next century. The Y2K problem is rooted in the way that dates are\n    recorded and computed in automated information systems. For the past several\n    decades, systems have typically used two digits to represent the year, such\n    as \xe2\x80\x9c97\xe2\x80\x9d representing 1997, to conserve electronic data storage and to reduce\n    operating costs. With the two-digit format, however, the year 2000 is\n    indistinguishable from 1900, or 2001 from 1901, and so forth. As a result of\n    the ambiguity, system or application programs that use dates to perform\n    calculations, comparisons, or sorting could generate incorrect results when\n    working with years following 1999. Calculation of Y2K dates is further\n    complicated because the year 2000 is a leap year, the first century leap year\n    since 1600. The computer systems and applications must recognize\n    February 29, 2000, as a valid date.\n\n    Because of the potential failure of computers to run or function throughout the\n    Government, the President issued an Executive Order, \xe2\x80\x9cYear 2000\n    Conversion,\xe2\x80\x9d February 4, 1998, making it policy that Federal agencies ensure\n    that no critical Federal program experiences disruption because of the Y2K\n    problem. The Executive Order also requires that the head of each agency\n    ensure that efforts to address the Y2K problem receive the highest priority\n    attention in the agency. In addition, the General Accounting Office has\n    designated resolution of the Y2K problem as a high-risk area, and DOD has\n    recognized the Y2K issue as a material management control weakness area in\n    the FY 1997 Annual Statement of Assurance.\n\n     As of November 1997, DOD reported 3,143 mission-critical systems* to the\n     Office of Management and Budget. The total cost of the DOD Y2K effort was\n     estimated at about $1.5 billion.\n\n     Department of Defense Year 2000 Management Plan. The Assistant\n     Secretary of Defense (Command, Control, Communications, and Intelligence)\n     issued the \xe2\x80\x9cDOD Year 2000 Management Plan\xe2\x80\x9d (Management Plan) in\n     April 1997. The Management Plan provides the overall DOD strategy and\n     guidance for inventorying systems, prioritizing systems, retiring systems, and\n     monitoring progress. The Management Plan makes the DOD Components\n     responsible for implementing the five-phase Y2K management process. The\n     goal is to have all DOD systems certified as Y2K compliant and implemented no\n     later than November 1, 1999.\n\n            The DOD Five-Phase Management Process. Each of the five phases is\n     supported by program and project management and represents a major Y2K\n\n\n     *When a mission-critical system\xe2\x80\x99s capabilities are degraded, the organization\n     realizes a resulting loss of a core capability.\n\n                                         2\n\x0cprogram activity or segment. The April 1997 Management Plan shows the\nfollowing target completion dates for the five phases ranging from\nDecember 1996 through November 1, 1999.\n\n       l   Phase I - Awareness. Awareness, education, and initial organization and\nplanning take place. Target completion date: December 1996.\n\n       l Phase II - Assessment. Scope of Y2K effects is identified, and\nsystem-level analysis takes place. Target completion date: June 1997.\n\n       l Phase III - Renovation. Required system renovations are accomplished\nTarget completion date: December 1998.\n\n        l Phase IV - Validation. Systems are certified as Y2K compliant as a result\nof various testing and compliance processes. Target completion date:\nJanuary 1999.\n\n         l Phase V - Implementation. Systems are fWy operational after being\ncertified in Phase IV. Target completion date: November 1, 1999.\n\nThe Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) is in the process of issuing an updated Management Plan, which\nfurther accelerates the target completion dates for the Renovation, Validation,\nand Implementation phases, resulting in a completion date of December 1998.\n\nIn a memorandum for the heads of executive departments and agencies, dated\nJanuary 20, 1998, the Office of Management and Budget established a new\ntarget date of March 1999 for implementing all corrective actions to all systems.\nThe new target completion dates are September 1998 for the Renovation phase\nand January 1999 for the Validation phase.\n\n        Certification. The Management Plan requires that the system\ndevelopers or maintainers and the system\xe2\x80\x99s functional proponent certify and\ndocument each system\xe2\x80\x99s Y2K compliance. According to the Management Plan,\na system is certified when the system manager signs a Y2K compliance\nchecklist. An example of a Y2K compliance checklist is in Appendix B of the\nManagement Plan. The purpose of the checklist is to assist system managers in\nensuring that their systems are Y2K compliant.\n\n        Testing. The Management Plan states that a validation schedule should\nbe developed for all systems during the assessment phase and that validation\nshould be completed as soon as possible. Validation, according to the\nManagement Plan, includes evaluating the system to determine whether it is\nY2K compliant. Also during the assessment phase, every piece of code should\nbe examined to determine whether any two-digit date handling is involved.\nAccording to the Management Plan, DOD Components should develop and\ndocument test and compliance plans and schedules for each converted or\nreplaced application or system component. Additionally, DOD Components are\nresponsible for determining whether the vendor software is Y2K compliant.\nDOD Components must also ensure that the contractor-converted systems are\ntested.\n\n                                      3\n\x0cYear 2000 Guidance Developed by DOD Components. The Army, the\nAir Force, the Defense Logistics Agency, and the Defense Information Systems\nAgency each issued internal Y2K guidance to address the Y2K problem. Each\nguidance package requires a compliance/certification checklist to be completed\nand testing to be done. The Washington Headquarters Services, the Defense\nSpecial Weapons Agency, the Defense Finance and Accounting Service, and the\nAssistant Secretary of Defense (Health Affairs) use the Management Plan for\nY2K guidance.\n\n        Army. The Army \xe2\x80\x9cProject Change of Century Action Plan,\nRevision I,\xe2\x80\x9d October 4, 1996, provides the Army strategy and management\napproach for addressing the Y2K problem. The Army plan requires system\ndevelopers or maintainers and the system\xe2\x80\x99s functional proponent to certify and\ndocument each system\xe2\x80\x99s Y2K compliance. According to the Army plan, testing\nmust include regression testing, integrated testing, and simulated Y2K testing.\nThe Army compliance checklist guidance dated June 1997 states that a system or\ndevice is not considered Y2K compliant until positive results have been\nachieved in accordance with compliance levels outlined in Section 10 of the\nArmy plan checklist. The checklist is required for each Army system that has\nbeen reported to the Army year 2000 database. The checklist is required for\nsystems previously assessed and found to be compliant, systems that contain no\ndate information, and systems with no Y2K impact.\n\n         Air Force. The Air Force \xe2\x80\x9cYear 2000 Guidance Package, \xe2\x80\x9d\nApril 1, 1997, describes the Air Force Y2K management issues and the\nfive-phase resolution process. The guidance states that system owners, users,\ndesigners, and developers should not assume that any system is Y2K compliant\nuntil it has been \xe2\x80\x9cextensively analyzed using proven methods.\xe2\x80\x9d The Air Force\nrequires that every system classified as Y2K compliant have incorporated the\ncompliance checklist in the validation process. The Air Force believes that\ncompleting the checklist will not guarantee that a system will be Y2K\ncompliant, but that the checklist will give system managers a \xe2\x80\x9ctremendous start\nin their certification efforts. \xe2\x80\x9d The guidance states that each system should be\ncertified as Y2K compliant after testing is complete, and it recommends the use\nof independent testing or validation organizations.\n\n         Defense Logistics Agency. The Defense Logistics Agency \xe2\x80\x9cYear 2000\nAIS [Automated Information System] Certification Guidance,\xe2\x80\x9d\nOctober 27, 1997, defines the conditions that must be met for an automated\ninformation system to be considered Y2K compliant. The guidance states that\nthe Y2K certification checklist is to be completed during testing. The Y2K\ncertification checklist \xe2\x80\x9conly indicates potential readiness for the functional area\nto start functional testing.\xe2\x80\x9d The Y2K certification checklist is formally\ncompleted during functional testing. The completed checklist is sent to the Year\n2000 Program Office to update the certification status.\n\n        Defense Information Systems Agency. The \xe2\x80\x9cDefense Information\nSystems Agency Year 2000 Testing Guideline,\xe2\x80\x9d November 12, 1997, provides\nthe strategy for all systems that require Y2K testing by the Defense Information\nSystems Agency. The guidance states that it can be used for all DOD systems to\n\xe2\x80\x9cprovide reasonable assurance that the Y2K problem has been resolved.\xe2\x80\x9d The\n\n                                     4\n\x0c     guidance states that tested systems are deemed compliant if they meet the\n     compliance requirements in the Management Plan. The guidance states that\n     Y2K test results should be used to determine whether the system is compliant.\n     The guidance also states that the Defense Information Systems Agency\xe2\x80\x99s goal is\n     to ensure that the systems are Y2K compliant \xe2\x80\x9cby providing a rigorous Y2K test\n     management approach. \xe2\x80\x9d\n\n     On January 22, 1998, the Vice Director of the Defense Information Systems\n     Agency issued a memorandum recommending that central design activities\n     (organizations that design and produce software that is used on a DOD\n     Component-wide or DOD-wide basis) specifically qualify Y2K testing results to\n     help avert potential legal liabilities. The suggested disclaimer provides no\n     guarantee that any information technology product that passed Y2K compliance\n     testing is actually Y2K compliant.\n\n\nAudit Objectives\n     Our objective was to determine whether the Y2K certification process is\n     adequate to ensure that mission-critical DOD information technology systems\n     will continue to operate properly after the year 2000. Specifically, the audit\n     examined DOD management policy and guidance relevant to certifying\n     information technology systems as Y2K compliant. The audit also evaluated the\n     Y2K certification process of selected mission-critical DOD information\n     technology systems as implemented by the DOD Components. See Appendix A\n     for a discussion of the audit scope and methodology.\n\x0c           Year 2000 Certification of\n           Mission-Critical DOD Information\n           Technology Systems\n           Based on a randomly selected sample of 87 out of 430 systems that DOD\n           reported as Y2K compliant in November 1997, we estimate that DOD\n           Components certified only 109 (25.3 percent) of the 430 systems as Y2K\n           compliant. Although the Management Plan contains guidance regarding\n           Y2K certification, the DOD Components did not certify the majority of\n           the sampled systems reported as Y2K compliant.\n\n           Systems were not certified because DOD Components did not adequately\n           implement and enforce the guidance in the Management Plan or their\n           own Y2K guidance. Additionally, the Management Plan is not\n           consistently clear as to specific Y2K certification requirements.\n\n           As a result, DOD management reported as Y2K compliant systems that\n           have not been certified. More important, mission-critical DOD\n           information technology systems may unexpectedly faii because they were\n           classified as Y2K compliant without adequate verification and validation.\n\n\nDOD Year 2000 Guidance\n    Y2K Status Reporting. The DOD Components are required to report quarterly\n    to the Office of the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) the Y2K status of their mission-critical\n    systems. In turn, the Offke of the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) provides the results to the Office of\n    Management and Budget. In November 1997, DOD reported that 430 DOD\n    mission-critical systems (excluding 242 systems from DOD intelligence\n    organizations) were Y2K compliant. The following table shows the number of\n    systems reported as Y2K compliant for each DOD Component.\n\n\n\n\n                                         6\n\x0cYear 2000 Certification   of Mission-Critical   DoD Information   Technology    Systems\n\n\n           Y2K Compliant Mission-Critical       Systems:   November 1997\n\n                                                              Number of Y2K\n                       Component                             Conipliant Systems\n\n     Assistant Secretary of Defense (Health mairs)                              42\n     Department of the Army                                                    188\n     Department of the Air Force                                                97\n     Defense Contract Audit Agency                                               1\n     Defense Finance and Accounting Service                                     12\n     Defense Information Systems Agency                                         14\n     Defense Logistics Agency                                                   17\n     Defense Security Assistance Agency                                           1\n     Defense Special Weapons Agency                                              3\n     Washington Headquarters Services                                           55\n      Total                                                                    430\n\n\n     The Department of the Navy did not report any compliant systems for the\n     November 1997 Quarterly Report.\n\n     DOD Year 2000 Certification Requirements and Process. The Management\n     Plan states that system owners, users, designers, and developers cannot assume\n     that any system is Y2K compliant until the system manager certifies it. According\n     to the Management Plan, a system is not certified until the system manager signs a\n     Y2K compliance checklist. The checklist is a tool for ensuring that the system\n     manager has considered Y2K aspects. Those aspects include whether the system\n     successfUlly processes data containing dates in the twentieth and twenty-first\n     centuries and other indirect date usage, whether the system accurately recognizes\n      and processes the year 2000 as a leap year and other internal usage of dates, and\n      whether the DOD Component has identified external system interfaces and the type\n      of date fields used by the system. The checklist also poses Y2K considerations if\n      commercial software or software that the Government previously developed is\n      used in the system. The Y2K guidance that the Army, the Air Force, the Defense\n      Logistics Agency, and the Defense Information Systems Agency developed also\n      requires the completion of a checklist.\n\n      Purpose of the Y2K Compliance Checklist. The overall intent of the Y2K\n      compliance checklist is to help guide the system manager in ensuring that a system\n      is Y2K compliant. A Y2K compliant system accurately processes and calculates\n      date data from, into, and between the twentieth and twenty-first centuries and\n      correctly recognizes leap years. Additionally, the system should successfUlly\n      process data containing dates with no adverse effect on the application\xe2\x80\x99s\n      tinctionality. The system manager should accomplish two vital steps before\n\n\n\n                                           7\n\x0cYear 2000 Certification of Mission-Critical DoD Information Technology Systems\n\n      certifying a system as compliant. The first step is verification that all potential\n      Y2K impacts on the system were identified and, if necessary, that the selection and\n      implementation of appropriate solutions were made. The second step is validation\n      that any Y2K corrective actions are effective, and that the system accurately\n      processes and calculates dates between centuries. Validation is normally\n      performed through actual testing; the type of validation performed directly relates\n      to the level of certification indicated on the checklist. Completion of the Y2K\n      compliance checklist is not a guarantee of Y2K compliance; however, completion\n      of the Y2K compliance checklist for each mission-critical system should provide\n      senior management with an indicator and documented evidence that the system has\n      been appropriately reviewed for potential Y2K impacts and that the necessary\n      corrections were implemented.\n\n\nCompliance With Year 2000 Certification Guidance\n      The level of compliance with Y2K certification requirements was low, and specific\n      Y2K certification requirements were not uniformly clear. For each of the 87\n      systems randomly selected from the 430 systems that DOD had reported as Y2K\n      compliant, we asked the designated point of contact for the certification date of the\n      system and a copy of the Y2K compliance checklist. Our statistical sampling\n      approach and methodology is described in Appendix A. We received answers to\n      the questionnaire for 83 of the 87 systems.\n\n      Compliance With Certification Requirements. System representatives\n      provided a copy of a Y2K compliance checklist, signed as of November 1997, for\n      only 22 of the 83 systems that provided results in our sample. After allowing for\n      the 4 systems for which we received no results, we concluded, with a 95percent\n      confidence level, that between 265 and 338 systems were not certified. Using the\n      unbiased point estimate of 301 systems, we project that 70 percent of the systems\n      reported as compliant in November 1997 did not complete a Y2K compliance\n      checklist, which the system manager also signed as of November 1997.\n\n       Also, the existence of a completed and signed Y2K compliance checklist did not\n       always mean that the system was Y2K compliant. The points of contact for 3 of\n       the 22 systems in our sample with completed and signed checklists indicated that\n       the systems were not fully Y2K compliant at the time that the checklist was signed.\n       We also noted that the Management Plan does not clearly require that validation of\n       Y2K compliance, such as testing systems impacted by dates, be completed before\n       certification. The requirement in the Management Plan for certification is that the\n       system manager signs the Y2K compliance checklist. Another 2 of the 22 systems\n       in our sample certified as Y2K compliant were not validated and had \xe2\x80\x9cnot\n       applicable\xe2\x80\x9d for every answer on the checklist. DOD Components need to test\n       systems impacted by dates to validate that the system is Y2K compliant. The\n       Management Plan\xe2\x80\x99s Y2K certification process should state a clear requirement for\n       validation, including testing for systems impacted by dates, or the Assistant\n       Secretary of Defense (Command, Control, Communications, and Intelligence)\n       should issue separate guidance on the certification process.\n\n\n\n                                            8\n\x0cYear 2000 Certification of Mission-Critical DOD Information Technology Systems\n\n     The Defense Finance and Accounting Service and the Defense Logistics Agency\n     provided completed and signed checklists for all of their systems included in our\n     sample. Appendix C presents the audit results for each of the sampled systems.\n\n     Clarity of Year 2000 Certification Guidance. The Management Plan does not\n     clearly describe the certification process or specific requirements. For example,\n     the Management Plan:\n\n              l states that system manager signature on the checklist constitutes\n     certification, but does not prohibit the checklist from being signed before full Y2K\n     compliance is achieved;\n\n             l does not clearly state that completion of the Y2K compliance checklist,\n     or a similar checklist providing for Y2K verification and validation, is required\n     before a system can be reported as Y2K compliant;\n\n             l does not define the Office of the Assistant Secretary of Defense\n     (Command, Control, Communications, and Intelligence) or DOD Component-level\n     oversight requirements or processes for DOD Y2K organizations and actions to\n     ensure accurate Y2K reporting; and\n\n              l provides for a level of certification defined as \xe2\x80\x9cnot certified or not\n     certified yet.\xe2\x80\x9d The legitimacy of certifj+g a system on that basis is not clear.\n\n     The purpose of the Y2K compliance checklist is to assist in ensuring that the\n     system is Y2K compliant; however, system managers could complete and sign the\n     checklist without the system being fully compliant or validated for compliance.\n     The Office of the Assistant Secretary of Defense (Command, Control,\n     Communications, and Intelligence) should include requirements for compliance\n     and validation in the certification process in the Management Plan. Currently, the\n     only specific requirement for Y2K certification in the Management Plan is the\n     system manager\xe2\x80\x99s signature on the Y2K compliance checklist. The Management\n     Plan has been under revision for more than 6 months.\n\n\nYear 2000 Testing of Mission-Critical Systems\n     Certification Levels. The Management         Plan compliance checklist requires that\n     each system representative indicate a level of certification. Some of the\n     certification levels are keyed to the particular type of validation performed. For\n     example, a system representative would indicate a certification level of \xe2\x80\x9c 1\xe2\x80\x9d if the\n     system was independently tested. A system would merit a level of \xe2\x80\x9c2\xe2\x80\x9d if an\n     independent audit of the system and existing testing was performed. Although\n     caution is provided that an assumption of higher risk is involved, several\n     certification level \xe2\x80\x9c3\xe2\x80\x9d options are described for self-certification. The\n     self-certification levels are not keyed to any particular type of testing.\n\x0cYear 2000 Certification   of Mission-Critical     DoD Information   Technology Systems\n\n       Because self-certification can involve considerable risk to obtaining an objective\n       validation that a system is YZK compliant and because the certification level that\n       the checklist in the Management Plan requires is not keyed to any particular type\n       of validation, our questionnaire contained additional validation choices on which\n       system managers could have based certification levels. We asked the point of\n       contact for each system in our sample to select the most appropriate choice from\n       our list of bases for certification.\n\n       Types of Y2K Validation Performed. Of the 83 systems that provided results in\n       our sample, 32 were actually tested for Y2K compliance; 14 systems were\n       inspected without testing (such as a manual review of the system\xe2\x80\x99s software code);\n       7 systems were considered Y2K compliant based on a statement from another\n       organization; and 30 systems were considered Y2K compliant without testing,\n       inspection without testing, or a statement from another organization regarding\n       Y2K compliance. The Defense Finance and Accounting Service and the Defense\n       Logistics Agency provided test results for all of their sampled systems. The\n       points of contact for 17 of the 5 1 systems that did not undergo actual testing\n       stated that they are currently testing or will test the systems in the future. The\n       points of contacts for 2 of the 32 systems that were actually tested stated that they\n       will perform additional testing of the systems.\n\n       We considered actual testing to be independent testing or organizational testing,\n       with or without an independently verified process. However, we fully recognize\n       that other types of validation may be an adequate basis for certification. For\n       instance, software inspection may be adequate when the individual inspecting the\n       software does not anticipate a date processing dependency, such as for software\n       embedded in weapon systems. While embedded software probably measures\n       elapsed time, the need to measure elapsed days in a combat scenario is not\n       probable. The same assumption, however, cannot be made for software that\n       supports a weapon system. For example, an aircraft maintenance system probably\n       has date dependencies. The system points of contact for 6 of the 14 systems in\n       our sample that were inspected without testing stated that the system did not use\n       dates.\n\n       Although the Management Plan states that DOD Components should complete\n       validation of the system as soon as possible, it does not clearly require system\n       managers to validate Y2K compliance before certification of a system. Testing is\n       the tool used to validate that a system impacted by dates will correctly process\n       date and date-related data in the twentieth and twenty-first centuries. According\n       to the Management Plan, DOD Components must test the individual applications,\n       computer platforms, operating systems, utilities, applications, databases, and\n       interfaces for Y2K compliance.\n\n\n\n\n                                             10\n\x0cYear 2000 Certification of Mission-Critical DoD Information Technology Systems\n\n     Of the 430 systems reported as compliant in November 1997, our sample\n     results, which are detailed in Appendix A, showed that the majority did not\n     undergo actual testing to validate Y2K compliance. Based on our sample\n     results, we project the following:\n\n             l 158 (36.8 percent) of the 430 systems reported as compliant were\n     actually tested for Y2K compliance.\n\n              l 69 (16.1 percent) of the 430 systems reported as Y2K compliant were\n     determined to be Y2K compliant through an inspection of the system without\n     testing.\n\n              l 35 (8 percent) of the 430 systems reported as Y2K compliant were\n     classified as Y2K compliant based on statements from another organization. The\n     Management Plan states that the DOD Component must determine whether the\n     vendor software is Y2K compliant, and it must not accept vendor certification at\n     face value.\n\n            l 148 (34.5 percent) of the 430 systems were reported as compliant\n     without testing, inspection without testing, or a statement from another\n     organization regarding Y2K compliance.\n\n     Four systems did not provide answers to our questionnaire. Therefore, the\n     projection categories just listed do not total 430 systems, or 100 percent.\n\n\nImpact on Accuracy of DOD Reports\n     The DOD Components did not correctly report many of the 87 systems selected\n     from the 430 systems that DOD reported as Y2K compliant in November 1997.\n     Inspector General, DOD, Report No. 98-077, \xe2\x80\x9cYear 2000 Computing Problem\n     Reports: August 1997 Report,\xe2\x80\x9d February 18, 1998, states that Y2K reporting\n     definitions and procedures were not clear or well understood by DOD\n     Components. Accordingly, the information that DOD provided to the Office of\n     Management and Budget was not fully reliable. The results of this audit\n     indicate that the requirements related to Y2K quarterly reporting are still not\n     well understood or consistently complied with. For example:\n\n             l For 9 of the 87 systems in our sample, the points of contact indicated\n     that the systems are no longer classified as mission-critical.\n\n            l For 13 of the 87 systems, the points of contact indicated that the systems\n     were actually in a Y2K phase before implementation.\n\n\n\n\n                                          11\n\x0cYear 2000 Certification of Mission-Critical DODInformation Technology Systems\n\n             l  For 4 of the 87 systems, the points of contact indicated that the systems\n      were in the development stage, were not developed, or were not received.\n\n             l According to the point of contact, one Y2K compliant system in our\n      sample was an office of people, not an automated system.\n\n      The primary purpose of the quarterly reports is to provide senior DOD and\n      Federal Government managers with a tool to measure progress in the solving of\n      the Y2K \xe2\x80\x9cproblem. \xe2\x80\x9d We noted that the number of systems that DOD reported\n      in November 1997 as already Y2K compliant actually decreased by 91 systems\n      (excluding DOD intelligence agencies) from the August 1997 report. We\n      believe that the primary reason for that decrease in compliant systems is more\n      conservative and realistic reporting by the DOD Components. While we\n      applaud more accurate Y2K reporting, we also recognize that the decrease in\n      Y2K compliant systems reported in November 1997 indicates that a baseline for\n      measuring progress has yet to be established. Until DOD issues firm reporting\n      guidance, we concluded that a stable and useful reporting baseline will continue\n      to be elusive.\n\n\nConclusion\n\n      DOD is reporting systems as Y2K compliant that have not been appropriately\n      certified or validated. Of the 430 systems reported in November 1997 as Y2K\n      compliant, we project that only 109 were certified as Y2K compliant. Certification\n      of Y2K compliance is required not only for accurate reporting, but also for\n      providing DOD senior management with reasonable assurance that DOD automated\n      systems will continue to operate correctly into the next century. The inappropriate\n      reporting of systems as compliant may impede DOD from obtaining the necessary\n      visibility to ensure a thorough and successful transition to Y2K compliance for all\n      DOD systems. Without that smooth transition, DOD mission-critical information\n      technology systems may unexpectedly fail because they were erroneously\n      classified. The Y2K certification process should include clear requirements for\n      compliance and validation, including testing for systems impacted by dates, to help\n      ensure that mission-critical systems will not fail upon the turn of the century.\n\n      Sufficient time to fix the DOD Y2K \xe2\x80\x9cproblem\xe2\x80\x9d is quickly running out. The year\n      2000 will arrive exactly on schedule. Senior DOD management cannot afford to\n      make Y2K program decisions based on highly inaccurate information. If DoD\n      does not take the action that it needs to obtain accurate information as to the\n      status of its Y2K efforts, we believe that serious Y2K failures may occur in DOD\n      mission-critical information technology systems.\n\n\n\n\n                                            12\n\x0cYear 2000 Certification   of Mission-Critical   DoD Information    Technology    Systems\n\n\n\nRecommendations, Management Comments, and Audit\nResponse\n     We recommend that the Assistant Secretary of Defense (Command,             Control,\n     Communications, and Intelligence):\n\n     1. Issue to DOD Components clarified DOD year 2000 certification\n     requirements, to include specific verification and validation requirements,       to\n     be effective immediately.\n\n     2. Issue to DOD Components       clear, firm year 2000 quarterly reporting\n     requirements.\n\n     3. Develop guidance for the signature of the Deputy Secretary of Defense\n     that directs DOD Components to establish oversight processes and procedures\n     to effectively enforce the DOD requirements established in\n     Recommendations 1. and 2.\n\n      Management Comments. The Office of the Assistant Secretary of Defense\n      (Command, Control, Communications, and Intelligence) concurred with our\n      recommendations.     Management currently is updating the Management Plan.\n      Management stated that the reporting requirements must be updated quarterly and\n      that our audit results will be used to improve the reporting instructions.\n      Additionally, management will propose actions by the Deputy Secretary of\n      Defense to clarify the importance of year 2000 compliance and the enforcement of\n      reporting and evaluation requirements.\n\n      Audit Response. Although management concurred with the recommendations,\n      management did not provide the specific actions to be implemented. Management\n      stated that the Management Plan would be updated but did not discuss how the\n      updated Management Plan would clarify year 2000 certification requirements.\n      Management stated that the reporting requirements must be updated quarterly to\n      comply with the latest Office of Management and Budget guidance but did not\n      state that the guidance would be modified to prevent the errors we identified in the\n      report from occurring in the future. Because of the time sensitivity of this year\n      2000 issue, the guidance on certification requirements needs to be effective\n      immediately. Because the release date for the Management Plan update is\n      unknown, an alternative solution may be to issue separate guidance on the\n      certification process to be effective immediately. We request that the Assistant\n      Secretary of Defense (Command, Control, Communications, and Intelligence)\n      provide specific actions and associated completion dates for the guidance on the\n      certification process, quarterly reporting, and the oversight process by\n      July 6, 1998.\n\n\n\n\n                                           13\n\x0c\x0cPart II - Additional Information\n\x0cAppendix A. Audit Process\n    This is one of a series of reports being issued by the Inspector General, DOD, in\n    accordance with an informal partnership with the Chief Information Officer,\n    DOD, to monitor DOD efforts to address the Y2K computing challenge. For a\n    listing of audit projects addressing this issue, see the Y2K webpage on IGNET\n    at < http://www.ignet.gov/ > .\n\n\nScope and Methodology\n    Work Performed. We reviewed and evaluated the DOD Year 2000\n    Management Plan issued by the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) in April 1997. We compared the\n    Y2K guidance and compliance checklists issued by the Army, the Air Force, the\n    Defense Logistics Agency, and the Defense Information Systems Agency with\n    the Management Plan guidance and the Y2K compliance checklist. We\n    distributed a questionnaire to the system representatives for 87 statistically\n    selected systems from the 430 DOD mission-critical systems reported as\n    compliant to determine the basis used for certifying the system as Y2K\n    compliant. We performed an analysis of the questionnaire responses and\n    evaluated the year 2000 certification process of selected mission-critical DOD\n    information technology systems as implemented by the DOD Components.\n\n    Limitations to Audit Scope. The Management Plan requires external\n    interfaces to be validated as Y2K compliant for the system to be certified as\n    Y2K compliant. However, for the purpose of this audit, we asked questions\n    regarding the specific system statistically selected; therefore, we did not ensure\n    in all cases that external interfaces or operating systems for the specific audited\n    system were compliant.\n\n    Use of Computer-Processed Data. No computer-processed data were used in\n    the course of the audit.\n\n    Use of Technical Assistance. Assistance was provided by an Operations\n    Research Analyst of the Quantitative Method Division of the Office of the\n    Assistant Inspector General for Auditing, DOD. He assisted us in generating a\n    random sample and projecting the results from our sample to the sample\n    universe.\n\n    Audit Type, Dates, and Standards. We performed this program audit from\n    December 1997 through March 1998 in accordance with auditing standards\n    issued by the Comptroller General of the United States, as implemented by the\n    Inspector General, DOD.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within the DOD. Further details are available on request.\n\n\n                                         16\n\x0c                                                          Appendix A. Audit Process\n\n    Management Control Program. We did not review the management control\n    program related to the overall audit objective because DOD recognized the YZK\n    issue as a material management control weakness area in the FY 1997 Annual\n    Statement of Assurance. This report does present a material management\n    control weakness. Specifically, the management controls are not adequate to\n    ensure accurate quarterly reporting. However, separate reporting of that\n    weakness is unnecessary.\n\n\nStatistical Sampling Methodology and Sampling Results\n\n     Sampling Purpose. The purpose of the statistical sampling plan is to estimate\n     the number of mission-critical DOD information technology systems that were\n     certified or tested and those that were not certified or tested.\n\n     Universe Represented and Sampling Design. The table on page 7 of this\n     report includes the universe data. The 430 systems were reported to the Office\n     of Management and Budget as compliant by the Assistant Secretary of Defense\n     (Command, Control, Communications, and Intelligence) in November 1997.\n     We asked the system representatives for the statistically selected systems to\n     answer a questionnaire regarding the date on which the system was certified and\n     the basis for certification (such as testing, inspection, or certification by another\n     organization). We randomly selected 87 systems from the sample universe.\n\n     Certification Sampling Results. Of those 87 systems, 22 systems were\n     certified, 61 systems were not certified, and no results were received for\n     4 systems. Statistical projections of the results of systems certified and not\n     certified are calculated over the universe by using 9%percent confidence levels.\n     The projected results for certification are in Table A-l.\n\n          Table A-l. DoD Mission-Critical Systems Certified for Year 2000\n                                  Compliance\n\n                             Lower Bound            Point Estimate         Unner Bound\n     Certified                                            109\n     Not Certified               2:;                      301                  G\n     No Results                        4                   20                   37\n\n     The above projections show that we are 9%percent confident that between\n     74 and 144 systems were certified. For the purpose of this report, we used the\n     unbiased point estimate of 109 for the number of systems certified. The results\n     can be interpreted similarly for the systems not certified and the systems with no\n     results.\n\n     Projections for the total values for lower and upper bounds have been calculated\n     independently and may not necessarily be the direct sum of two individual\n     components.\n\n     Validation Sampling Results. Of the 87 sampled systems, 32 systems were\n     tested for Y2K compliance, 14 systems were determined to be Y2K compliant\n\n                                           17\n\x0cAppendix A. Audit Process\n\n      through an inspection of the system without testing, 7 systems were classified as\n      Y2K compliant based on statements from another organization, 30 systems were\n      not tested or inspected and did not obtain a statement from another organization\n      regarding compliance, and 4 systems did not provide answers to the\n      questionnaire. Statistical projections of the results of Y2K compliance\n      validation are calculated over the universe by using 95percent confidence\n      levels. The projected results for testing are in Table A-2.\n\n           Table A-2. DoD Mission-Critical Systems Validated for Year 2000\n                                    Compliance\n\n                               Lower Bound        Point Estimate        Unner Bound\n      Tested                      119                   158                197\n      Inspected                    40                    69                 99\n      Statements from\n        another organization       13                    35\n      No testing                  110                   148                 1581\n      No results                    4                    20                  37\n\n      The above projections show that we are 95percent confident that between\n      119 and 197 systems were actually tested for Y2K compliance. For the purpose\n      of this report, we used the unbiased point estimate of 158 for the number of\n      systems actually tested. The results can be interpreted similarly for the systems\n      inspected, systems classified as Y2K compliant based on statements from\n      another organization, systems not tested, and systems with no results.\n\n      Projections for the total values for lower and upper bounds have been calculated\n      independently and may not necessarily be the direct sum of two individual\n      components.\n\n\n\n\n                                          18\n\x0cAppendix B. Summary of Prior Coverage\n    The General Accounting Office and the Inspector General, DOD, have\n    conducted multiple reviews related to Y2K issues. General Accounting Office\n    reports can be accessed over the Internet at http://www.gao.gov. Inspector\n    General, DOD, reports can be accessed over the Internet at\n    http://www.dodig.osd.mil.\n\n\nInspector General, DOD\n    Inspector General, DoD, Report No. 98-077, \xe2\x80\x9cYear 2000 Computing\n    Problem Reports: August 1997 Report,\xe2\x80\x9d February 18, 1998. The report\n    states that the DOD Component second quarter reports on the Y2K issue did not\n    provide all the required information and were not fully reliable. Accordingly,\n    DOD will not have an adequate baseline to effectively measure its Y2K\n    progress. Additionally, DOD Components did not consistently interpret the\n    Chief Information Officer reporting requirements. The Management Plan\n    provides definitions for \xe2\x80\x9csystem\xe2\x80\x9d and \xe2\x80\x9cmission-critical,\xe2\x80\x9d but definitions are\n    nonspecific and open to interpretation. Also, DOD did not establish clear\n    reporting guidance and requirements. The report recommended that the\n    Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence), in the role of the DOD Chief Information Officer, update the DOD\n    Year 2ooO Management Plan to reflect changes in reporting requirements and\n    include adequate procedures on how Y2K quarterly reports should reconcile.\n    The Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence) concurred and stated that the DOD Y2K Management Plan would\n    be updated accordingly.\n\n    Inspector General, DOD, Report No. 98-074, \xe2\x80\x9cSharing Year 2000 Testing\n    Information on DoD Information Technology Systems,\xe2\x80\x9d\n    February 12, 1998. The report states that DOD has designated the use of\n    homepages on the Internet as the primary means of sharing Y2Krelated\n    information, and DOD Components have made progress in establishing Y2K\n    information on their respective homepages. However, the process for sharing\n    Y2K testing information can be more effective. DOD Components may be\n    inefficiently spending time-sensitive resources in solving the Y2K problem\n    through the duplication of efforts and in attempting to locate accurate testing\n    information. The ability to retrieve and use all appropriate testing information\n    in a timely and efficient manner will be instrumental in the solution of the Y2K\n    problem. The report recommended that the Assistant Secretary of Defense\n    (Command, Control, Communications, and Intelligence), as the DOD Chief\n    Information Officer, establish a DOD-sponsored Y2K testing information center\n    within DOD for gathering, analyzing, storing, and disseminating Y2K-related\n    testing information and provide Y2K hotline services to the DOD Components.\n    Further, the report recommended that DOD Components be notified of the\n    testing center\xe2\x80\x99s Y2K role and responsibilities and of the DOD Components\xe2\x80\x99\n    responsibility to share testing information and that DOD intemet homepages be\n\n                                        19\n\x0cAppendix B. Summary of Prior Coverage\n\n      organized to enable users to quickly and easily access the center for Y2K testing\n      information. Although the Assistant Secretary of Defense (Command, Control,\n      Communications, and Intelligence) concurred with the recommendations, our\n      intent was to establish a DOD-sponsored Y2K testing information center,\n      recognized by the other DOD Components, to organize and provide links to the\n      Y2K testing information provided on the intemet by the DOD Components.\n      Accordingly, we added recommendations to clarify the actions needed to\n      sufficiently identify, publicize, and access sources of Y2K testing information.\n      We requested comments on the additional recommendations.\n\n\n\n\n                                           20\n\x0cAppendix C. Certification and Testing Results\nfor Mission-Critical DOD Information Systems\nAudited\n                No                        Certification by          Inspection\n              Testing\xe2\x80\x99       Testing\xe2\x80\x99   Another Organization\xe2\x80\x9d    Without Testing\xe2\x80\x99   Certified\xe2\x80\x99   Note6\n             ~           ~\n\nDepartment of the Air Force\n\n1.             Yes             No              No                    No               No         a\n2.             Yes             No              No                    No               No         C\n\n3.             Yes             No              No                    No               No         d\n4.             Yes             No              No                    No               No         a, d. c\n5.             No              Yes             No                    No               Yes        d\n6.             No              Yes             No                    No               Yes\n7.             No              Yes             No                    No               Yes\n8.             Yes             No              No                    No               No\n9.             Yes             No              No                    No               No\n10.            Yes             No              No                    No               No\nII.            Yes             No              No                    No               No\n12.            Yes             No              No                    No               NV\n13.            N/A\xe2\x80\x99            N/A             N/A                   N/A              N/A\n14.            Yes             No              No                    No               No\n15.            No              Yes             No                    No               Yes\n16.            Yes             No              No                    No               No         b. e\n17.            Yes             No              No                    No               No         a\n18.            No              Yes             No                    No               Yes\n 19.           No              Yes             No                    No               No         b, d\n20.            Yes             No              No                    No               No         a\n21.            Yes             No              No                    No               No         C\n\n22.            No              No              No                    Yes              No\n23.            No              Yes             No                    No               No\n24.            No              Yes             No                    No               Yes\n\nDepartment of the Army\n\n 25.            No             No               No                    Yes               No\n 26.            No             No               Yes                   No                Yes\n 27.            No             No               Yes                   No                No\n 28.            Yes            No               No                    No                No\n 29.            Yes            No               No                    No                No\n 30.            No             No               No                    Yes               No\n 31.            No             No               No                    Yes               No\n 32.            Yes            No               No                    No                No\n 33.            No             No               Yes                   No                No\n 34.            Yes            No               No                    No                No           a\n 35.            No             Yes              No                    No                Yes\n 36.            Yes            No               No                    No                No           b\n 37.            No             Yes              No                    No                No\n 38.            No             Yes              No                    No                Yes\n 39.            No             No               Yes                   No                No           a. e\n\n\n\n Note: See the footnotes at the end of the appendix.\n\n\n\n\n                                                                21\n\x0cAppendix C. Certification and Testing Results for Mission-Critical DOD\nInformation Systems Audited\n\n                No                      Certification by        Inspection\n              Testing      Testing    Another Organization   Without Testing   Certified\n\n\nDepartment of the Army (cont\xe2\x80\x99d)\n\n40.            No            Yes                  No               No             No       e\n41.            No            Yes                  No               No             No       e\n42.            Yes           No                   No               No             Yes      h\n43.            No            Yes                  No               No             No\n44.            No            No                   No               Yes            No       e\n45.            No            No                   No               Yes            No       d, f\n46.            Yes           No                   No               No             No       i\n47.            No            No                   No               Yes            No       e\n48.            No            No                   Yes              No             No       e\n49.            N/A           N/A                  N/A              N/A            NIA      d\n50.            No            No                   No               Yes            No       f\n51.            Yes           No                   No               No             No\n52.            No            Yes                  No               No             Yes\n53.            No            Yes                  No               No             Yes\n54.            Yes           No                   No               No             No\n55.            No            No                   Yes              No             No\n56.            No            No                   Yes              No             No\n57.\n58.\n59.\n               Yes\n               No\n               No\n                             No\n                             No\n                             No\n                                                  No\n                                                  No\n                                                  No\n                                                                   No\n                                                                   Yes\n                                                                   Yes\n                                                                                  No\n                                                                                  No\n                                                                                  No\n                                                                                           a\n                                                                                           f\n60.            No            Yes                  No               No             Yes\n61.            No            No                   No               Yes            No       f\n62.            Yes           No                   No               No             No       a. e\n63.            NIA           N/A                  N/A              NIA            NIA      d\n64.            NIA           N/A                  N/A              N/A            N/A      d\n\nDefense Finance and Accounting Servtce\n\n65.            No            Yes                  No               No               Yes\n66.            No            Yes                  No               No               Yes\n\nDefense Information Systems Agency\n\n67.            No            Yes                   No              No               No\n68.            Yes           No                    No              No               No\n69.            No            Yes                   No              No               No\n\nDefense Logistics Agency\n\n70.            No            Yes                   No              No               Yes\n71.            No            Yes                   No              No               Yes\n\nDefense Special Weapons Agency\n\n 72.           No             No                  No               Yes              No\n\nAssistant Secretary of Defense (Health Affairs)\n\n 73.           Yes            No                  No               No               No\n 74.           No             Yes                 No               No               No\n 75.           No             No                  No                Yes             No\n\nNote: See the footnotes at the end of the appendix.\n\n\n\n\n                                                             22\n\x0c                     Appendix C. Certification and Testing Results for Mission-Critical DoD\n                                                              Information Svstems Audited\n\n                        No                        Certification by       Inspection\n                    Testing         Testing    Another Organization   Without Testing   Certified               Note\n                -               -\n\nAssistant   Secretary     of Defense (Health Affairs)   (cont\xe2\x80\x99d)\n\n76.                 No                 Yes               No                 No               No\n77.                 No                 Yes               No                 No               Yes\n78.                 Yes                No                No                 No               No             e\n\nWashington     Headquarters         Services\n\n79.                 No                 Yes               No                 No               ND\n80.                 Yes                No                No                 No               No             a\n81.                 No                 Yes               No                 No               Yes\n82.                 No                 No                No                 Yes              No\n83.                 No                 Yes               No                 No               No\n 84.                Yes                No                No                 No               No             b. e\n 85.                No                 Yes               No                 No               Yes\n 86.                No                 Yes               No                 No               Yes\n 87.                 No                Yes               No                 No               Yes\n\n\n\n\xe2\x80\x98As of November 1997. the system was reported as compliant without testing, an inspection without testing. or a statement from\nanother organization  regarding Y2K compliance.\n%he system was independently tested or tested by the DOD Component for Y2K compliance.\n%he system was classified as compliant based on a statement from another organization.\nCrhe system was inspected for ability to process data, but no testing was performed to determine Y2K compliance.\n\xe2\x80\x98The point of contact provided a Y2K compliance checklist signed as of November 1997.\n?\xe2\x80\x98he following notes apply to the system at the time of the audit:\n            a. System is in the renovation phase.\n            b. System is in the validation phase.\n            c. System is under development.\n           d. System is no longer classified as mission-critical.\n            e. System is currently being tested or will be tested in the future.\n            f. Year 2000 dates do not impact the system.\n            g. Element is an office, not a system.\n            h. Software for system was not developed.\n            i. System had not been received by point of contact.\n\xe2\x80\x98Qu estion not answered on questionnaire.\n\n\n\n\n                                                                      23\n\x0cAppendix D. Report Distribution\n\n\nOffke of the Secretary of Defense\nUnder Secretary of Defense for Acquisition and Technology\n   Deputy Under Secretary of Defense (Logistics)\n   Director, Defense Procurement\n   Director, Defense Logistics Studies Information Exchange\nUnder Secretary of Defense (Comptroller)\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense (Command, Control, Communications,      and Intelligence)\n   DOD Year 2000 Project Officer\nAssistant Secretary of Defense (Health Affairs)\nAssistant Secretary of Defense (Public AfTairs)\n\n\nJoint Staff\nDirector, Joint Staff\n\n\nDepartment of the Army\nAuditor General, Department of the Army\nChief Information Officer, Army\n\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management   and Comptroller)\nAuditor General, Department of the Navy\nChief Information Officer, Navy\n\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management   and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Air Force\n\n\n\n\n                                            24\n\x0c                                                   Appendix D. Report Distribution\n\n\n\nUnified Commands\nCommander   in Chief,   U.S. European Command\nCommander   in Chief,   U.S. Pacific Command\nCommander   in Chief,   U.S. Atlantic Command\nCommander   in Chief,   U.S. Southern Command\nCommander   in Chief,   U.S. Central Command\nCommander   in Chief,   U.S. Space Command\nCommander   in Chief, U.S. Special Operations Command\nCommander   in Chief, U .S . Transportation Command\nCommander   in Chief, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Ballistic Missile Defense Organization\n   Chief Information Offker, Ballistic Missile Defense Organization\nDirector, Defense Advanced Research Projects Agency\n    Chief Information Offricer, Defense Advanced Research Projects Agency\nDirector, Defense Commissary Agency\n    Chief Information Officer, Defense Commissary Agency\nDirector, Defense Contract Audit Agency\n    Chief Information Officer, Defense Contract Audit Agency\nDirector, Defense Finance and Accounting Service\n    Chief Information Officer, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n    Inspector General, Defense Information Systems Agency\n    Chief Information Offtcer, Defense Information Systems Agency\nDirector, Defense Legal Services Agency\n    Chief Information Officer, Defense Legal Services Agency\nDirector, Defense Logistics Agency\n    Chief Information Officer, Defense Logistics Agency\nDirector, Defense Security Assistance Agency\n    Chief Information Officer, Defense Security Assistance Agency\nDirector, Defense Security Service\n    Chief Information Officer, Defense Security Service\nDirector, Defense Special Weapons Agency\n    Chief Information Officer, Defense Special Weapons Agency\nDirector, National Security Agency\n     Inspector General, National Security Agency\nDirector, On-Site Inspection Agency\n     Chief Information Officer, On-Site Inspection Agency\n Director, Washington Headquarters Services\n Inspector General, Defense Intelligence Agency\n Inspector General, National Imagery and Mapping Agency\n\n\n\n\n                                            25\n\x0cAppendix D. Report Distribution\n\n\n\n\nNon-Defense Federal Organizations and Individuals\nChief Information Officer, General Services Administration\nOffice of Management and Budget\n   Office of Information and Regulatory AEairs\nTechnical Information Center, National Security and International AfIairs Division,\n   General Accounting Office\nDirector, Defense Information and Financial Management Systems, Accounting and\n   Information Management Division, General Accounting Office\n\nChairman and ranking minority member of each of the following congressional committees\n   and subcommittees:\n\n   Senate Committee on Appropriations\n   Senate Subcommittee on Defense, Committee on Appropriations\n   Senate Committee on Armed Services\n   Senate Committee on Governmental Affairs\n   Senate Special Committee on the Year 2000 Technology Problem\n   House Committee on Appropriations\n   House Subcommittee on National Security, Committee on Appropriations\n   House Committee on Government Reform and Oversight\n   House Subcommittee on Government Management, Information, and Technology,\n      Committee on Government Reform and Oversight\n   House Subcommittee on National Security, International Affairs, and Criminal Justice,\n      Committee on Government Reform and Oversight\n   House Committee on National Security\n\n\n\n\n                                             26\n\x0cPart III - Management Comments\n\x0cOffice of the Assistant Secretary of Defense\n(Command, Control, Communications, and\nIntelligence) Comments\n\n              OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE\n                            OOW DEFENSEPENTAGON\n                           WAaHINGToN.   DC   20x)1-aDDo\n                               May 11, 1998\n\n\n\n\n        WEWDRAWDDWFOR DIRECTOR ACQUISITIONWAWAGEWENT. OIG\n\n        Subject: Audit Report on Year 2000 Certificationof\n                 Mission-CriticalDoD InformationTechnology\n                 Systems (Project No. BAS-00111\n\n\n              We appreciate the work done by your staff in examining\n        certification and compliance reporting of DoD information\n        rechnology systems.  The reporting disparities identified\n        by your staff point to the need for explanations in\n        definingreporting requirements. They also point out\n        inaccuraciesin reports to OSD from the DoD Components.\n\n             We concur with each of your recommendations. We are\n        in the process of updating the DoD Year 2000 Management\n        Plan. We need your review of the update to make sure it\n        improvesguidance on verificationand validation\n        requirements,especially with regard to independent\n        certificationrather than self-certification, We also must\n        update our reporting requirementsquarterly, since the\n        Office of Management and Budget modifies their request with\n        each successivereport. We will use the results of your\n        audit to improve the reporting instructions. In addition,\n        we will propose actions by the Deputy Secretary of Defense\n        to make clear the importance of Year 2000 compliance and\n        the enforcamentof reporting and evaluation requirements.\n\n            We look forward to using the results of this and other\n        audits to make sure DoD's Year 2000 efforts are successful.\n\n             Should you have any questions,please contact\n        Us. Sally Brown of the Year 2000 Oversight and Contingency\n        PlanningOffice (703) 614-6934.\n\n\n\n\n                               28\n\x0cAudit Team Members\n\nThis report was prepared by the Acquisition Management Directorate, Office of\nthe Assistant Inspector General for Auditing, DOD.\n\nThomas F. Gimble\nPatricia A. Brannin\nMary Lu Ugone\nJames W. Hutchinson\nVirginia G. Rogers\nJennifer L. Zucal\nFrank C. Sonsini\nLusk F. Penn\n\x0c\x0c"